CN Less Clearly

On December 11, the China Internet Network Information Center (CNNIC) announced that individuals hoping to register .CN domain names are now required to provide a written application. This written application must be stamped with a business seal, and a photocopy of the applicant’s business license and ID must be included. This effort is touted as simply part of a greater effort to remove a significant amount of pornographic content from the web.
The reality is far more complex.
China has long used the Great Firewall of China to block any material it deems offensive, including pornographic material, so-called biased news sources and political commentary. Facebook, Twitter, and thousands of other sites are blocked and cannot be accessed from within China. As reported by Rebecca McKinnon, Assistant Professor, University of Hong Kong:
“People who work for Chinese Internet companies continue to complain that they remain under heavy pressure to be more thorough about the way in which they police and censor blogging platforms, social networking sites, discussion forums, and any form of user-generated content. “
By restricting the .CN TLD to businesses that must meet with approval by a governing body, China is reigning in control over the Internet at a time when people are increasingly looking to the web for freedom of expression, political action, and news and information from a wide variety of sources all with their own particular bias.
Since the announcement, the information security community has been abuzz with the notion that this new restriction will result in fewer malicious domains registered at .CN. That would certainly be good news for China, which has long been considered a pernicious purveyor of malicious content.
Unfortunately, it isn’t true.
Looking at the original notice, it is clear that following the initial online submission and subsequent allocation of a domain name, individuals then have 5 days to provide the appropriate governing body with the required written material. If after 5 days or if the applicant is rejected, the domain will be revoked.
It doesn’t require much thought to see how this system can easily be abused. Individuals with criminal intent can simply register for a domain and generate and propagate as much malicious content as desired over the course of the next 120 hours. It is also likely, though unknown at this time, that any money spent of the domain registration would be refunded so as not to unduly penalize legitimate businesses who may simply make an error on their forms, be rejected, and have to resubmit. To be clear, I find it unlikely that the CNNIC would require people to pay for domains that they do not own. Criminals can simply use a domain for free for 5 days and then move onto the next.
On that same note, will there be any process in place to permanently ban individuals who continually register domains only to be rejected? And does the CNNIC really expect to be able to intake and process what is potentially thousands of applications a day? What happens when that 5 day window becomes 10 days? Much to the dismay of the security world, criminals may rejoice at this announcement.
So, while cybercriminals need only a few minutes to distribute malicious content, individuals within China whose views are not in accordance with their governments’ need many words, many pages, and much support to leverage the power of the Internet to engage and enlighten the world. It is these people who will be most affected and individuals of all sorts, not just security professionals, should lament any moment when the Internet becomes a little less free, a little less open.
Meaghan Molloy
Threat Analyst